Ethereal-users: Re: [Ethereal-users] Minor bug in ethereal 0.10.2 ?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxx>
Date: Fri, 27 Feb 2004 23:59:37 -0800
On Fri, Feb 27, 2004 at 07:28:59PM +0100, Marco Rommelse wrote:
> I have noticed that the != operator doesn't work as expected anymore in the
> display-filter field. I am using ethereal version 0.10.2. This has worked up
> to version 0.10.0a. So if I want to filter out ip-address 192.168.1.2 for
> instance, I would normally enter ip.addr != 192.168.1.2. This doesn't seem
> to work anymore.  You can get around it by entering !(ip.addr ==
> 192.168.1.2) instead. Has anyone else seen this?

Yes, I've seen it, because that's how Ethereal is supposed to work.

I've even seen it in 0.10.0a - I just downloaded it, built it, and tried
it, and "ip.addr != XXX.XXX.XXX.XXX" matched IP packets where at least
one of the addresses (source or destination) was something other than
XXX.XXX.XXX.XXX, as it was supposed to.

That means that it *will* match, for example, packets that are from
XXX.XXX.XXX.XXX but not *to* XXX.XXX.XXX.XXX, as well as packets that
are to XXX.XXX.XXX.XXX but not *from* XXX.XXX.XXX.XXX.

That's because

	1) "ip.addr != XXX.XXX.XXX.XXX" matches all packets that have an
	   "ip.addr" field whose value isn't XXX.XXX.XXX.XXX

and

	2) an IPv4 packet has *two* "ip.addr" fields, one whose value is
	   the source address and one whose value is the destination
	   address, so that "ip.addr == XXX.XXX.XXX.XXX" will match
	   packets to or from XXX.XXX.XXX.XXX.

I.e., that's not a bug, that's a feature, and it's not new in 0.10.2 or
even 0.10.1.  It is, perhaps, counter-intuitive, but it's not clear that
special-casing the "!=" operator (which is what having "ip.addr !=
XXX.XXX.XXX.XXX" match only packets that have *no* "ip.addr" field equal
to XXX.XXX.XXX.XXX would require) would

	1) not make the implementation of display filters somewhat ugly;

	2) not make the display filter model a bit ugly - what about the
	   other operators?

	3) not make some other reasonable filter expressions not work at
	   all (i.e., somebody might want to find packets that have *no*
	   instance of some filter field equal to a certain value).

The correct way to find packets that are neither to nor from
XXX.XXX.XXX.XXX is, as you've discovered, "!(ip.addr ==
XXX.XXX.XXX.XXX)", which also matches packets that aren't IP packets at
all (as they have *no* "ip.addr" fields, so they don't have an "ip.addr"
field that's equal to XXX.XXX.XXX.XXX.  If you only want IP packets that
are neither to nor from XXX.XXX.XXX.XXX, that'd be

	ip && !(ip.addr == XXX.XXX.XXX.XXX)